3

I'm trying to configure an application running on Java 8 to support only TLSv1.2 connections. I've seen posts about altering .../jre/lib/security/java.security, using -Ddeployment.security.TLS* arguments when launching the JVM, and of course specifying an SSLContext of "TLSV1.2" in the code.

I've managed to get the server to support only TLSv1.1 and TLSv1.2, but have been unsuccessful at also turning away TLSv1.1 connections.

Any help would be appreciated. Thanks.

feh
  • 31
  • 1
  • 1
  • 3
  • The (current) `SSLContext` s set only an _upper_ bound on the protocol (unless FIPS mode). Do you or any library/middleware call `.setEnabledProtocols` on the resulting `SSLServerSocket SSLSocket` (s) and/or `SSLEngine` (s)? Do you have any non-standard settings in `JRE/lib/security/security.java` or equivalent calls to `Security.setProperty`? – dave_thompson_085 Apr 19 '17 at 01:20
  • I wasn't aware of the upper bound aspect. Thank you for that information. If I use setEnabledProtocols(), I get the desired result. However, this is a partial solution; my original question remains - is there a way to restrict enabled protocols to only TLS 1.2 for the entire JVM? – feh Apr 20 '17 at 13:16
  • For 8u31 and 7u75 up, you can edit `jdk.tls.disabledAlgorithms` in `java.security` (which your Q already lists, and applies to all JVMs running that JRE) or equivalently call `Security.setProperty` before JSSE is initialized (can vary per JVM, but may need updating when JRE default is updated OR cryptanalytic knowledge changes). Note this affects both incoming and outgoing connections (if you use both). Also found dupe http://stackoverflow.com/questions/32466407/how-to-force-java-server-to-accept-only-tls-1-2-and-reject-tls-1-0-and-tls-1-1-c – dave_thompson_085 Apr 23 '17 at 07:17
  • For some reason, using the jdk.tls.disabledAlgorithms parameter is not having the desired effect. Is that setting a "master switch", or can it be overridden by programmatic measures? I'm using the setting below, yet my server still accepts TLS 1.1 connections: jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1 DH keySize < 1024 – feh Apr 24 '17 at 19:06
  • There is no API to override disabledAlgorithms once set, although you can 'cheat' with reflection and change any Java internal field (unless a securitymanager is set and prohibits it). If you have correctly quoted the value you used, it is **apparently missing the comma** between TLSv1.1 and DH keySize<1024. This causes it to be parsed wrong and effectively ignores that item. – dave_thompson_085 Apr 26 '17 at 01:18

1 Answers1

0

Editing security.java does work, assuming you have all the necessary commas.

feh
  • 31
  • 1
  • 1
  • 3